Wow - there ARE still people on this list! ;) I tried the BPF on the startup first - it doesn't seem to work with Netflow, which kinda makes sense 'cause I think it's bound to libpcap.
The netflow thread is the one that is 2 - 3 times the load as well. G -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Friday, June 19, 2009 2:11 PM To: [email protected] Cc: [email protected] Subject: Re: [Ntop] Overhead of netflow white/black lists? Probable silly question... Would it make sense to have a bpf expression in the startup script/settings to ignore data to/from the offending host? I believe that would incur the smallest overhead. On Fri, Jun 19, 2009 at 11:51, Gary Gatten<[email protected]> wrote: > While troubleshooting my crashes during/after IDLE_PURGE processes, I found > a host (CA eTrust) that scans our entire internal network range (all > possible host IPs) looking for new ones - a discovery process. Don't ask > why it doesn't use multicast for this - seems no one realizes multicast > exists and how to use it. > > > > Anyway, this "discovery" causes nTop to "see" almost 50,000 hosts - at which > time it crashes. I'm not 100%, but this process runs every 2 - 4 hours > depending on TOD, and sure enough - ntop shows a huge spike in host counts > and shortly thereafter the host count is zero - cause ntop is DEAD! > > > > So - I threw in a blacklist in netflow confs for this host "host not > w.x.y.z". Seems to be working, however, now the netflow thread is running 2 > - 3 times CPU it did before I added the blacklist entry. Is there really > that much overhead in the white/black lists - or am I crazy? > > > > > > TIA! > > > > Gary > > > > "This email is intended to be reviewed by only the intended recipient and > may contain information that is privileged and/or confidential. If you are > not the intended recipient, you are hereby notified that any review, use, > dissemination, disclosure or copying of this email and its attachments, if > any, is strictly prohibited. If you have received this email in error, > please immediately notify the sender by return email and delete this email > from your system." > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
